ef81b3d357
## Server release RELEASE.2024-03-26T22-10-45Z
- Adding info about node dashboard for Grafana.
- Also updates links to JSON files for other dashboards that were
incorrect.
*no related docs issue*
## Not a server release, but fixes:
- Corrects information about JSON policy file size limits.
- Adds information about limit on tags per object.
Closes #1134
## Server RELEASE.2024-03-21T23-13-43Z
- Adds new `user` envvar and config for REDIS notifications
- Simplifies and updates discussion of encryption keys for SSE
Closes #1169
1.1 KiB
MinIO generates a Data Encryption Key (DEK) using the |EK|. Specifically, MinIO Key Encryption Service (KES) <kes>
requests a new cryptographic key from the KMS using the |EK| as the "root" key.
KES returns both the plain-text and an |EK|-encrypted representation of the DEK. MinIO stores the encrypted representation as part of the object metadata.
MinIO uses a deterministic algorithm to generate a 256-bit unique Key Encryption Key (KEK). The key-derivation algorithm uses a pseudo-random function that takes the plain-text |DEK|, a randomly generated initialization vector, and a context consisting of values like the bucket and object name.
MinIO generates the KEK at the time of each cryptographic encryption or decryption operation and never stores the KEK to a drive.
MinIO generates a random 256-bit unique Object Encryption Key (OEK) and uses that key to encrypt the object. MinIO never stores the plaintext representation of the OEK on a drive. The plaintext OEK resides in RAM during cryptographic operations.